feat(sys/boot): Provide the latest arch-iso as boot target

1 files changed, 31 insertions, 10 deletions

diff --git a/sys/boot/default.nix b/sys/boot/default.nix
index 9606c7b3..625394e8 100644
--- a/sys/boot/default.nix
+++ b/sys/boot/default.nix
@@ -1,8 +1,4 @@
-{
-  pkgs,
-  lib,
-  ...
-}: {
+{pkgs, ...}: {
   boot = {
     initrd = {
       #compressor = "lz4";
@@ -15,14 +11,39 @@
     lanzaboote = {
       enable = true;
       pkiBundle = "/etc/secureboot";
+
+      settings = {
+      };
     };
 
     loader = {
-      # Lanzaboote currently replaces the systemd-boot module.
-      # This setting is usually set to true in configuration.nix
-      # generated at installation time. So we force it to false
-      # for now.
-      systemd-boot.enable = lib.mkForce false;
+      systemd-boot = {
+        # Lanzaboote currently replaces the systemd-boot module.
+        # This setting is usually set to true in configuration.nix
+        # generated at installation time. So we force it to false
+        # for now.
+        enable = false;
+
+        # Disable editing the kernel command line (which could allow someone to become root)
+        editor = false;
+
+        extraEntries = {
+          "live.conf" = ''
+            title Archlinux Live ISO
+            linux /live/vmlinuz-linux
+            initrd /live/initramfs-linux.img
+            options img_loop=/archlinux.iso copytoram
+          '';
+        };
+
+        extraFiles = let
+          iso = import ./archlive_iso.nix {inherit pkgs;};
+        in {
+          "archlinux.iso" = "${iso}/archlinux.iso";
+          "live/initramfs-linux.img" = "${iso}/live/initramfs-linux.img";
+          "live/vmlinuz-linux" = "${iso}/live/vmlinuz-linux";
+        };
+      };
 
       grub = {
         enable = false;